A recent vulnerability (CVE-2024-26982) has been resolved in the Linux kernel, specifically regarding Squashfs - a compressed read-only filesystem for Linux. The vulnerability created an out of bounds access in the fill_meta_index() function due to an inode number with an invalid value of zero. Syskiller, a popular security research group, had discovered the flaw and helped develop a fix to patch the security issue.
The Patch
The patch adds a sanity check during inode creation that verifies if the inode number is not zero. If it is detected as zero, the function returns -EINVAL (invalid argument). This check helps prevent out of bounds access while using the metadata index.
Here is a snippet of the patch
/*
* Sanity check that the inode number is not the invalid value of zero
*/
if (inode_number == )
return -EINVAL;
Link to the original patch submission: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk
Exploit details
The vulnerability led to an out of bounds access because of an inode number that had the invalid value of zero. The following sequence of events occurred:
1. fill_meta_index() function was called to allocate and fill a metadata index. The function, however, faced a data read error and aborted, ultimately invalidating the newly returned empty metadata index. It did this by setting the inode number of the index to zero.
2. When fill_meta_index() was called again on another read operation, locate_meta_index() returned the previous index because it matched the inode number of zero. As a result, an out of bounds access was performed.
Conclusion
The resolution of this issue in the Linux kernel is crucial to maintain the security and stability of the system. Proper inode number validation is now in place, ensuring that the potential for out of bounds access due to invalid inode numbers is mitigated. Thanks to the work of Syskiller and the Linux kernel team, users can now enjoy a safer and more secure filesystem experience.
Timeline
Published on: 05/01/2024 06:15:15 UTC
Last modified on: 05/29/2024 05:26:23 UTC